8000 INM SR6.0 LDAP RADIUS Authentication Configuration User Manual

8000 Intelligent Network Manager SR6.0LDAP/RADIUS Authentication Configuration User

Manual

76.8060-70216A11.07.2014

Document Information

© 2014 Tellabs. All rights reserved.

This manual is protected by U.S. and international copyright laws, conventions and treaties. Your right to use this manual issubject to limitations and restrictions imposed by applicable licenses and copyright laws. Unauthorized reproduction, modification,distribution, display or other use of this manual may result in criminal and civil penalties. The following trademarks and servicemarks are owned by Tellabs Operations, Inc. or its affiliates in the United States and/or other countries: TELLABS®, TELLABS®

logo, TELLABS and T symbol®, T symbol®, CORIANTTM.

Any other company or product names may be trademarks of their respective companies.

The specifications and information regarding the products in this manual are subject to change without notice. All statements,information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind,

express or implied. Users must take full responsibility for their application of any products.

Adobe® Reader® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Tellabs and Coriant are joining forces. You may see references to Coriant or Tellabs when doing business with us. Contactinformation is available at http://www.coriant.com.

8000 Intelligent Network Manager SR6.0 76.8060-70216ALDAP/RADIUS Authentication Configuration User Manual © 2014 Tellabs.

2

http://www.coriant.com

Document Information

Terms and Abbreviations

Term Explanation

LDAP Light Directory Access Protocol

RADIUS Remote Access Dial-In User Service

VSA Vendor-Specific Attribute

76.8060-70216A 8000 Intelligent Network Manager SR6.0© 2014 Tellabs. LDAP/RADIUS Authentication Configuration User Manual

3


4

Table of Contents

Table of Contents

About the Manual .............................................................................................................. 6

Objectives....................................................................................................................................................................... 6Audience......................................................................................................................................................................... 6Document Conventions .................................................................................................................................................. 6Product Name Rebranding ............................................................................................................................................. 6Documentation Feedback............................................................................................................................................... 7

1 LDAP/RADIUS Authentication Configuration ........................................................... 8

2 Using LDAP/RADIUS Authentication Configuration Tool........................................ 9

2.1 LDAP Connection Parameters............................................................................................................................. 102.2 Adding Profiles for LDAP Authenticated Operators........................................................................................... 132.3 Inserting LDAP Directory Server Parameters ..................................................................................................... 13

2.3.1 Adding a New LDAP Server ............................................................................................................... 132.3.2 Adding a New Certificate File ............................................................................................................. 172.3.3 Assigning Certificates to LDAP Servers ............................................................................................. 182.3.4 Enabling LDAP Authentication........................................................................................................... 19

2.4 Inserting RADIUS Server Parameters................................................................................................................. 202.4.1 Adding a New RADIUS Server........................................................................................................... 202.4.2 Adding a New Certificate File ............................................................................................................. 242.4.3 Assigning Certificates to RADIUS Servers......................................................................................... 252.4.4 Enabling RADIUS Authentication ...................................................................................................... 26

2.5 Configuring Vendor-Specific Attributes in RADIUS Server............................................................................... 27


5

About the Manual

About the Manual

Objectives

This manual provides instructions on configuring LDAP or RADIUS authentication in 8000Intelligent Network Manager.

Audience

This information is aimed at system administrators of 8000 Intelligent Network Manager and8000 Intelligent Network Manager database.

Document Conventions

This is a note symbol. It emphasizes or supplements information in the document.

This is a caution symbol. It indicates that damage to equipment is possible if the instructionsare not followed.

This is a warning symbol. It indicates that bodily injury is possible if the instructions are notfollowed.

Product Name Rebranding

Product names are being rebranded and as a result the product name format consists of a numericalidentifier and a descriptive part.

Additionally, the previous Tellabs 7300 product family is renamed and the individual product namesare also changed. The table below lists previous and new product names. You may see instancesof both the previous and the new product names in the customer documents during the transitionperiod to the new naming system.

Previous Product Name New Product Name

Tellabs® 7300 metro Ethernet switching series 7090 Packet Transport Platform Series

Tellabs® 7305 7090-05 CE


6

About the Manual

Previous Product Name New Product Name

Tellabs® 7307 7090-07 CE

Tellabs® 7310 7310

Tellabs® 7325 7090-25 CE

Tellabs® 7345 7090-45 CE

Documentation Feedback

Please contact us to suggest improvements or to report errors in our documentation:

Email: [email protected]


7

1 LDAP/RADIUS Authentication Configuration

1 LDAP/RADIUS Authentication Configuration

Light Directory Access Protocol (LDAP)/Remote Access Dial-In User Service (RADIUS)authentication is a method of verifying 8000 Intelligent Network Manager operators from anexternal LDAP/RADIUS Server. 8000 Intelligent Network Manager provides a special tool forthis purpose, LDAP/RADIUS Authentication Configuration tool, LDAPCONF.EXE. The tool islocated in C:\NMS\bin folder.

The LDAP/RADIUS Server contains a directory of users. User privileges in 8000 IntelligentNetwork Manager can be specified by creating appropriate profiles for different types of operatorsand then matching the nmsprofile attribute in the LDAP/RADIUS Server with the name of theprofile in 8000 Intelligent Network Manager.

The access to different LDAP/RADIUS Servers is defined by certificates that are stored in thedatabase of 8000 Intelligent Network Manager.

The Coriant Vendor-Specific Attributes (VSAs) must be configured in the RADIUS Server. Formore details refer to 2.5 Configuring Vendor-Specific Attributes in RADIUS Server.


8

2 Using LDAP/RADIUS Authentication Configuration Tool

2 Using LDAP/RADIUS AuthenticationConfiguration Tool

The following 11 menu options can be found in the main menu of the LDAP/RADIUSAuthentication Configuration tool, see also Fig. 1.

1. Add a new LDAP/RADIUS ServerUsed for inserting LDAP/RADIUS Server parameters into the database.

2. Add a new certificate fileUsed for inserting LDAP/RADIUS Server/issuer certificate into the database.

1. The server certificate cannot be self-signed.2. The server certificate must have the same “common name” as the LDAP Server.3. The signing algorithm cannot be MD5.4. The CA certificate stored in the database must be DER-encoded.

3. Assign certificates to LDAP/RADIUS ServersUsed for assigning certificates to LDAP/RADIUS Servers.

4. Modify LDAP/RADIUS Server parametersUsed for changing the desired parameters for the LDAP/RADIUS Server.

5. Modify certificate parametersUsed for changing the certificate.

6. Un-assign certificate from LDAP/RADIUS ServerRemoves assignments from the database. Server parameters and certificates will remainin the database.

7. Delete certificate from databaseIf the certificate is not needed by any of the LDAP/RADIUS Servers, it can be removed. Youneed to first perform the option 6. Un-assign certificate from LDAP/RADIUS Server tounassign the certificate, then you can delete the certificate.

8. Delete LDAP/RADIUS Server from databaseIf there are obsolete LDAP/RADIUS Servers in the database, they can be removed. You needto first perform the option 6. Un-assign certificate from LDAP/RADIUS Server to unassignthe certificate, then you can delete the server.

9. List LDAP/RADIUS Servers from databaseLists the configured LDAP/RADIUS Servers.

10. List LDAP/RADIUS Certificates from databaseLists the installed certificates.

11. List assigned LDAP/RADIUS Certificates from databaseLists the certificates assigned to LDAP/RADIUS Servers.


9


Fig. 1 LDAPCONF.EXE Main Menu

When all the necessary parameters are given, the option 99 is used for enabling/disabling theLDAP/RADIUS authentication. When the configuration is ready, the option 0 is used for exitingthe tool.

2.1 LDAP Connection Parameters

The required and optional LDAP connection parameters needed for configuring LDAP/RADIUSAuthentication are listed in the table below.

Parameters for LDAP Server

Parameter Example Value Explanation

hostid 1 number A unique identifier of theLDAP Directory Serveror the RADIUS Server inthe database. It will beautomatically given byLDAPCONF.EXE, and itcan be written down here forfuture reference.

servertype 1 number The server type; 1 = LDAP, 2= RADIUS

hostname ldapserver.example.com123.123.123.123

text The hostname of the LDAPDirectory Server with domainor the IP Address of theRADIUS Server.

portnumber 636 number LDAP Authentication port.Default SSL port is 636.


10



connectionstring ou=people,dc=exam-ple,dc=com

text The connection stringpassed to the bind function(ldap_simple_bind_s).NOTE: Not used in RADIUS.

rank 1 number LDAP Server ranking. Theservers will be called in theorder of the rank number.Used for redundancy; ifthe higher ranking serverconnection fails the next oneis used.NOTE: Not used in RADIUS.

attrdn dc=example,dc=com text Distinguished Name of theentry at which to start the usersearch in ldap_search_s.NOTE: Not used in RADIUS.

attrcn cn text Relative Distinguished Nameof the container of users.NOTE: Not used in RADIUS.

attruid uid text Name of the User Id attribute.NOTE: Not used in RADIUS.

attrpw userPassword text Name of the user passwordattribute.NOTE: This is not used; thepassword is not stored in the8000 Intelligent NetworkManager database, just leaveit empty.

attrnmsprofile nmsProfile text Name of the 8000 IntelligentNetwork Manager operatorprofile attribute.NOTE: Not used inRADIUS. In RADIUS theTellabs-NmsProfile is used.

attrname name text Optional: name of the operatorname attribute. If the full nameof the operator is specified inthe LDAP Server, it can beretrieved to operator.name.

attraddress address text Optional: name of theoperator address attribute. Ifthe address of the operatoris specified in the LDAPServer, it can be retrieved tooperator.address.

attrphone phone text Optional: name of the operatorphone attribute. If the phonenumber of the operatoris specified in the LDAPServer, it can be retrieved tooperator.phone.


11



attrinfo info text Optional: name of theadditional informationattribute for the operator.If there is additionalinformation stored in theLDAP Server, it can beretrieved to operator.info.

radiusauthport 1812 number RADIUS authentication portNOTE: Not used in LDAP.

sockettimeout 5 number RADIUS socket timeoutNOTE: Not used in LDAP.

socketretries 5 number RADIUS retry countNOTE: Not used in LDAP.

nasipaddress 0x7b7b7b7b binary, givenas string, e.g.123.123.123.123

NAS-IP-AddressNOTE: Not used in LDAP.

nasportnumber 1 number NAS-Port-NumberNOTE: Not used in LDAP.

sharedsecret mysharedsecret text Shared secretNOTE: Not used in LDAP.

Parameters for Certificate File


certid 1 A unique identifier of thecertificate in the database. Itwill be automatically givenby LDAPCONF.EXE, andit can be written down herefor future reference.

certificatefile D:\In-certificate.issuer.cer Path to the certificate file.

description This is an issuer type certificate Enter a description to helpidentify different certificatesin the database.



12


2.2 Adding Profiles for LDAP Authenticated Operators

In 8000 Intelligent Network Manager profiles need to be added for LDAP authenticated operators.You need to be logged in by using the system administrator username when adding the profiles.Note that the name given in the Name entry field must match the nmsprofile attribute given to theoperator in the LDAP Directory Server, otherwise a Profile not found error will be given when anLDAP authenticated operator tries to log in. For more detailed instructions on adding profiles, referto 8000 Intelligent Network Manager Online Help.

2.3 Inserting LDAP Directory Server Parameters

2.3.1 Adding a New LDAP Server

Step 1 Run LDAPCONF.EXE by using the following command.C:\nms\bin>ldapconf.exe sa <sapassword>

LDAPCONF.EXE can only be run by system administrator. The 8000 Intelligent NetworkManager database system administrator (sa) login is needed.

If sa is not used, the following error will occur.

You must login with System administrator's username (sa)LDAP/RADIUS Authentication configuration failed!

Step 2 Select 1 and press Enter.

Step 3 Enter the LDAP Server type.Server Type (e.g. 1 = LDAP, 2 = RADIUS): 1

Step 4 Enter the name of the LDAP Directory Server.The hostname/IP address of the LDAP Directory Server (withdomain, e.g. ldapserver.example.com): ldapserver.example.com

Step 5 Enter the LDAP Authentication port.LDAP Authentication port (0): 636

Step 6 Enter the connection string.The connection string (e.g. ou=people,dc=example,dc=com):ou=people,dc=example,dc=com

Step 7 Enter the ranking.LDAP/RADIUS Server ranking (e.g. 1): 1

Step 8 Enter the domain of the distinguished name where to start the search.Distinguished Name where to start user search (e.g.dc=example,dc=com): dc=example,dc=com

Step 9 Enter the relative distinguished name of the user container.Relative Distinguished Name of user container (e.g. cn): cn

Step 10 Enter the name of the User Id attribute.Name of the User Id attribute (e.g. uid): uid


13


Step 11 Enter the name of the 8000 Intelligent Network Manager operator profile attribute.Name of the 8000 Manager operator profile attribute (e.g.nmsProfile): nmsprofile

Step 12 Enter the name of the 8000 Intelligent Network Manager operator name attribute.Note that this step is optional.

Name of the Operator name attribute (e.g. userFullName): name

Step 13 Enter the name of the 8000 Intelligent Network Manager operator address attribute.Note that this step is optional.

Name of the Operator address attribute (e.g. userAddress):address

Step 14 Enter the name of the 8000 Intelligent Network Manager operator phone attribute.Note that this step is optional.

Name of the Operator phone attribute (e.g. userPhone): phone

Step 15 Enter the name of the 8000 Intelligent Network Manager operator info attribute.Note that this step is optional.

Name of the Additional information attribute (e.g. userInfo):info

Step 16 Verify the parameters and if they are correct, enter Y.Are the parameters correct (Y/N/Q=quit)? Y

Storing LDAP/RADIUS Server to the database...

Installed LDAP/RADIUS Servers----------------------------------------------------------------------------------------------------------hostid : 1servertype : 1 = LDAPhostname : ldapserver.example.comportnumber : 636connectionstring : ou=people,dc=example,dc=comrank : 1attrdn : dc=example,dc=comattrcn : cnattruid : uidattrnmsprofile : nmsprofileattrname : nameattraddress : addressattrphone : phoneattrinfo : infoprotocoltype : Undefinedradiusauthport : 0sockettimeout : 0socketretries : 0nasipaddress : 0.0.0.0nasportnumber : 0sharedsecret :----------------------------------------------------------------------------------------------------------


14


Adding More Than One LDAP Server

When adding more than one LDAP Server, the parameters can be copied from the previouslyinstalled LDAP Server.



Step 3 Select an LDAP Server where to copy the parameters from.Installed LDAP/RADIUS Servers----------------------------------------------------------------------------------------------------------hostid : 1servertype : 1 = LDAPhostname : ldapserver.example.comportnumber : 636connectionstring : ou=people,dc=example,dc=comrank : 1attrdn : dc=example,dc=comattrcn : cnattruid : uidattrnmsprofile : nmsprofileattrname : nameattraddress : addressattrphone : phoneattrinfo : infoprotocoltype : Undefinedradiusauthport : 0sockettimeout : 0socketretries : 0nasipaddress : 0.0.0.0nasportnumber : 0sharedsecret :----------------------------------------------------------------------------------------------------------Copy parameters from already configured server (Y=<hostid ofexisting server>/N=No)? 1

Step 4 Enter the server type.Server Type (1 = LDAP): 1

Step 5 Enter the name of the LDAP Directory Server.The hostname/IP address of the LDAP Directory Server(ldapserver.example.com): ldapserver2.example.com

Step 6 If the rest of the values are the same, you can accept them by pressing Enter.The connection string (ou=people,dc=example,dc=com):LDAP/RADIUS Server ranking (e.g. 1): 2Distinguished Name where to start user search (dc=exam-ple,dc=com):Relative Distinguished Name of user container (cn):Name of the User Id attribute (uid):Name of the User password attribute ():


15


Name of the 8000 Manager operator profile attribute(nmsprofile):Name of the Operator name attribute (name):Name of the Operator address attribute (address):Name of the Operator phone attribute (phone):Name of the Additional information attribute (info):-----------------------------------------------------

Please verify that the LDAP server parameters are correct:-----------------------------------------------------Server type: LDAPThe hostname of the LDAP/RADIUS Directory Server:ldapserver2.example.comThe connection string: ou=people,dc=example,dc=comLDAP/RADIUS Server ranking: 2Distinguished Name where to start user search: dc=exam-ple,dc=comRelative Distinguished Name of user container: cnName of the User Id attribute: uidName of the 8000 Manager operator profile attribute:nmsprofileName of the Operator name attribute: nameName of the Operator address attribute: addressName of the Operator phone attribute: phoneName of the Additional information attribute: info-----------------------------------------------------Are the parameters correct (Y/N/Q=quit)? Y

Storing LDAP/RADIUS Server to the database...Installed LDAP/RADIUS Servers----------------------------------------------------------------------------------------------------------hostid : 1servertype : 1 = LDAPhostname : ldapserver.example.comportnumber : 636connectionstring : ou=people,dc=example,dc=comrank : 1attrdn : dc=example,dc=comattrcn : cnattruid : uidattrnmsprofile : nmsprofileattrname : nameattraddress : addressattrphone : phoneattrinfo : infoprotocoltype : Undefinedradiusauthport : 0sockettimeout : 0socketretries : 0nasipaddress : 0.0.0.0nasportnumber : 0sharedsecret :-----------------------------------------------------hostid : 2


16


servertype : 1 = LDAPhostname : ldapserver2.example.comportnumber : 636connectionstring : ou=people,dc=example,dc=comrank : 2attrdn : dc=example,dc=comattrcn : cnattruid : uidattrnmsprofile : nmsprofileattrname : nameattraddress : addressattrphone : phoneattrinfo : infoprotocoltype : Undefinedradiusauthport : 0sockettimeout : 0socketretries : 0nasipaddress : 0.0.0.0nasportnumber : 0sharedsecret :----------------------------------------------------------------------------------------------------------

2.3.2 Adding a New Certificate File




Step 3 Define the path to the certificate file.The path to the certificate NOTE: for LDAP only! (e.g.d:\in-certificate.cer): D:\In-certificate.issuer.cer

Step 4 Write a description for the certificate.Give some description to identify the certificate: Somedescriptive information

Step 5 Press Enter for the rest of the parameters.EAP-TLS Authentication - certificate key file type NOTE: forRADIUS only! (e.g. pkcs12):EAP-TLS Authentication - certificate filepath NOTE: for RADIUSonly!:EAP-TLS Authentication - key password NOTE: for RADIUS only!:EAP-TLS Authentication - CA file type NOTE: for RADIUS only!(e.g. pkcs12):EAP-TLS Authentication - CA filepath NOTE: for RADIUS only!s:EAP-TLS Authentication - CA password:-----------------------------------------------------


17



Storing LDAP Certificate to the database...Installed LDAP Certificates-----------------------------------------------------certid certdate descr -----------------------------------------------------1 Jun 29 2009 10:25:57:930AM Some descriptive information-----------------------------------------------------

2.3.3 Assigning Certificates to LDAP Servers



Step 3 Enter the ID of the certificate.Choose a certificate (certid, q=quit)?: 1

Step 4 Enter the ID of the LDAP/RADIUS Server.Choose an LDAP/RADIUS Server (hostid)?: 1


Storing LDAP/RADIUS Certificate assignment to the database...Assigned LDAP/RADIUS Certificates-----------------------------------------------------hostid hostname certid -----------------------------------------------------1 ldapserver.example.com 1 -----------------------------------------------------

All installed LDAP Directory Servers require assigned certificates, otherwise they cannotbe connected.

Assigning a Certificate to Additional Servers



18


Step 2 Select the certificate ID and server ID and accept your selection.Choose a certificate (certid, q=quit)?: 1Choose an LDAP/RADIUS Server (hostid)?: 2Please verify that the assignments are correct: -----------------------------------------------------The certid of the LDAP/RADIUS Certificate: 1The hostid of the LDAP/RADIUS Server: 2 -----------------------------------------------------Are the parameters correct (Y/N/Q=quit)? Y

Storing LDAP/RADIUS Certificate assignment to the database...Assigned LDAP/RADIUS Certificates-----------------------------------------------------hostid hostname certid -----------------------------------------------------1 ldapserver.example.com 12 ldapserver2.example.com 1 -----------------------------------------------------

2.3.4 Enabling LDAP Authentication


Step 2 Select 99 and press Enter:

Step 3 Confirm the enabling of the LDAP/RADIUS Authentication.Are you sure you want to enable LDAP/RADIUS Authentication(y/n)?: y

When the LDAP/RADIUS Authentication has been enabled, it can be seen in the main menu:

******************************************************************* Copyright (C) 2006-2009 Tellabs. All rights reserved.******************************************************************** LDAP/RADIUS Authentication (DISABLED)******************************************************************** Choose a configuration option:** 1. Add a new LDAP/RADIUS Server* 2. Add a new certificate file* 3. Assign certificates to LDAP/RADIUS Servers* 4. Modify LDAP/RADIUS Server parameters* 5. Modify certificate parameters* 6. Un-assign certificate from LDAP/RADIUS Server* 7. Delete certificate from database* 8. Delete LDAP/RADIUS Server from database* 9. List LDAP/RADIUS Servers from database* 10. List LDAP/RADIUS Certificates from database* 11. List assigned LDAP/RADIUS Certificates from database


19


** 99. Enable LDAP/RADIUS Authentication?** 0. Quit******************************************************************option:

2.4 Inserting RADIUS Server Parameters

2.4.1 Adding a New RADIUS Server


LDAPCONF.EXE can only be run by system administrator. The 8000 Intelligent NetworkManager database system administrator (sa) login is needed.

If sa is not used, the following error will occur.

You must login with System administrator's username (sa)LDAP/RADIUS Authentication configuration failed!


Step 3 Enter the RADIUS Server type.Server Type (e.g. 1 = LDAP, 2 = RADIUS): 2

Step 4 Enter the name of the RADIUS Server.The IP address of the RADIUS Server (e.g. 123.123.123.123):123.123.123.123

Step 5 Leave the connection string empty.The connection string (e.g. ou=people,dc=example,dc=com):

Step 6 Enter the ranking.LDAP/RADIUS Server ranking (e.g. 1): 1

Step 7 Leave the domain of the distinguished name where to start the search empty.Distinguished Name where to start user search (e.g.dc=example,dc=com):

Step 8 Leave the relative distinguished name of the user container empty.Relative Distinguished Name of user container (e.g. cn):

Step 9 Leave the name of the User Id attribute empty.Name of the User Id attribute (e.g. uid):

Step 10 Leave the name of the 8000 Intelligent Network Manager operator profile attribute empty.Name of the 8000 Manager operator profile attribute (e.g.nmsProfile):

Step 11 Leave the name of the 8000 Intelligent Network Manager operator name attribute empty.Name of the Operator name attribute (e.g. userFullName):

Step 12 Leave the name of the 8000 Intelligent Network Manager operator address attribute empty.Name of the Operator address attribute (e.g. userAddress):


20


Step 13 Leave the name of the 8000 Intelligent Network Manager operator phone attribute empty.Name of the Operator phone attribute (e.g. userPhone):

Step 14 Leave the name of the 8000 Intelligent Network Manager operator info attribute empty.Name of the Additional information attribute (e.g. userInfo):

Step 15 Enter the protocol type used to connect to the RADIUS Server.Protocol Type (1 = CHAP, 2 = MSCHAPv1, 3 = MSCHAPv2, 4 =EAP-TLS, 5 = EAP-TTLS, 6 = EAP-MSCHAPv2, 7 = PEAP): 1

Step 16 Enter the authentication port of the RADIUS Server (default: 1812).RADIUS Authentication port (0): 1812

Step 17 Enter the socket timeout of the RADIUS Server (default: 5).RADIUS Socket timeout (seconds) (0): 5

Step 18 Enter the socket retry count of the RADIUS Server (default: 5).RADIUS Socket retries (nr) (0): 5

Step 19 Enter the NAS IP Address of the RADIUS Server.RADIUS NAS-IP-Address (0.0.0.0): 123.123.123.123

Step 20 Enter the NAS Port Number of the RADIUS Server.RADIUS NAS-Port-Number (0): 1

Step 21 Enter the Shared Secret of the RADIUS Server.RADIUS Shared Secret (e.g. sharedsecret): thesharedsecret


Storing LDAP/RADIUS Server to the database...

Installed LDAP/RADIUS Servers----------------------------------------------------------------------------------------------------------hostid : 1servertype : 2 = RADIUShostname : 123.123.123.123connectionstring :rank : 1attrdn :attrcn :attruid :attrnmsprofile :attrname :attraddress :attrphone :attrinfo :protocoltype : CHAPradiusauthport : 1812sockettimeout : 5socketretries : 5nasipaddress : 123.123.123.123nasportnumber : 1sharedsecret : thesharedsecret----------------------------------------------------------------------------------------------------------


21


Adding More Than One RADIUS Server

When adding more than one RADIUS Server, the parameters can be copied from the previouslyinstalled RADIUS Server.



Step 3 Select a RADIUS Server where to copy the parameters from.Installed LDAP/RADIUS Servers----------------------------------------------------------------------------------------------------------hostid : 1servertype : 2 = RADIUShostname : 123.123.123.123connectionstring :rank : 1attrdn :attrcn :attruid :attrnmsprofile :attrname :attraddress :attrphone :attrinfo :protocoltype : CHAPradiusauthport : 1812sockettimeout : 5socketretries : 5nasipaddress : 123.123.123.123nasportnumber : 1sharedsecret : thesharedsecret----------------------------------------------------------------------------------------------------------Copy parameters from already configured server (Y=<hostid ofexisting server>/N=No)? 1

Step 4 Enter the server type.Server Type (2 = RADIUS): 2

Step 5 Enter the name of the RADIUS Server.The IP address of the RADIUS Server (123.123.123.123):123.123.123.124

Step 6 If the rest of the values are the same, you can accept them by pressing Enter.The connection string ( ):LDAP/RADIUS Server ranking (e.g. 1): 2Distinguished Name where to start user search ( ):Relative Distinguished Name of user container ( ):Name of the User Id attribute ( ):Name of the 8000 Manager operator profile attribute ( ):Name of the Operator name attribute ( ):Name of the Operator address attribute ( ):Name of the Operator phone attribute ( ):


22


Name of the Additional information attribute ( ):Protocol Type (CHAP):RADIUS Authentication port (1812):RADIUS Socket timeout (seconds) (5):RADIUS Socket retries (nr) (5):RADIUS NAS-IP-Address (123.123.123.123):RADIUS NAS-Port-Number (1):RADIUS Shared Secret (thesharedsecret):-----------------------------------------------------Please verify that the LDAP/RADIUS Server parameters arecorrect:-----------------------------------------------------Server type: RADIUSThe hostname of the LDAP/RADIUS Directory Server:123.123.123.124The connection string: LDAP/RADIUS Server ranking: 2Distinguished Name where to start user search:Relative Distinguished Name of user container:Name of the User Id attribute:Name of the 8000 Manager operator profile attribute:Name of the Operator name attribute:Name of the Operator address attribute:Name of the Operator phone attribute:Name of the Additional information attribute:RADIUS Protocol: CHAPRADIUS Authentication port: 1812RADIUS Socket timeout (seconds): 5RADIUS Socket retries (nr): 5RADIUS NAS-IP-Address: 123.123.123.123RADIUS NAS-Port-Number: 1RADIUS Shared Secret: thesharedsecret-----------------------------------------------------Are the parameters correct (Y/N/Q=quit)? YStoring LDAP/RADIUS Server to the database...Installed LDAP/RADIUS Servers----------------------------------------------------------------------------------------------------------hostid : 1servertype : 2 = RADIUShostname : 123.123.123.123connectionstring :rank : 1attrdn :attrcn :attruid :attrnmsprofile :attrname :attraddress :attrphone :attrinfo :protocoltype : CHAPradiusauthport : 1812sockettimeout : 5socketretries : 5nasipaddress : 123.123.123.123


23


nasportnumber : 1sharedsecret : thesharedsecret-----------------------------------------------------hostid : 2servertype : 2 = RADIUShostname : 123.123.123.124connectionstring :rank : 2attrdn :attrcn :attruid :attrnmsprofile :attrname :attraddress :attrphone :attrinfo :protocoltype : CHAPradiusauthport : 1812sockettimeout : 5socketretries : 5nasipaddress : 123.123.123.123nasportnumber : 1sharedsecret : thesharedsecret----------------------------------------------------------------------------------------------------------

2.4.2 Adding a New Certificate File

Not all protocols require a certificate. For example, when CHAP is used you can skip this step.



Step 3 Leave the path to the certificate file empty.The path to the certificate NOTE: for LDAP only! (e.g.d:\in-certificate.cer):

Step 4 Write a description for the certificate.Give some description to identify the certificate: Somedescriptive information

Step 5 Enter certificate information.EAP-TLS Authentication - certificate key file type (e.g.pkcs12): pkcs12EAP-TLS Authentication - certificate filepath:C:\\nms\\certs\\server.pem EAP-TLS Authentication - keypassword: mykeypwdEAP-TLS Authentication - CA file type (e.g. pkcs12): pkcs12EAP-TLS Authentication - CA filepath: C:\\nms\\certs\\cac-ert.pemEAP-TLS Authentication - CA password: mykeypwd-----------------------------------------------------


24


Step 6 Verify the parameters and if they are correct, enter Y.Are the parameters correct (Y/N/Q=quit)? YCertificate file could not be opened — ignore this for RADIUSStoring LDAP/RADIUS Certificate to the database...Installed LDAP/RADIUS Certificates-----------------------------------------------------certid certdate descr-----------------------------------------------------1 Sep 24 2009 7:01:39:870AM Some descriptive information-----------------------------------------------------Storing LDAP Certificate to the database...Installed LDAP Certificates-----------------------------------------------------certid certdate descr-----------------------------------------------------1 Jun 29 2009 10:25:57:930AM Some descriptive information-----------------------------------------------------

2.4.3 Assigning Certificates to RADIUS Servers



Step 3 Enter the ID of the certificate.Choose a certificate (certid, q=quit)?: 1

Step 4 Enter the ID of the LDAP/RADIUS Server.Choose an LDAP/RADIUS Server (hostid)?: 1


Storing LDAP/RADIUS Certificate assignment to the database...Assigned LDAP/RADIUS Certificates-----------------------------------------------------hostid hostname certid-----------------------------------------------------1 123.123.123.123 1-----------------------------------------------------

Assigning a Certificate to Additional Servers



25


Step 2 Select the certificate ID and server ID and accept your selection.Choose a certificate (certid, q=quit)?: 1Choose an LDAP/RADIUS Server (hostid)?: 2Please verify that the assignments are correct: -----------------------------------------------------The certid of the LDAP/RADIUS Certificate: 1The hostid of the LDAP/RADIUS Server: 2 -----------------------------------------------------Are the parameters correct (Y/N/Q=quit)? Y

Storing LDAP/RADIUS Certificate assignment to the database...Assigned LDAP/RADIUS Certificates-----------------------------------------------------hostid hostname certid -----------------------------------------------------1 123.123.123.123 12 ldapserver2.example.com 1 -----------------------------------------------------

2.4.4 Enabling RADIUS Authentication


Step 2 Select 99 and press Enter:

Step 3 Confirm the enabling of the RADIUS Authentication.Are you sure you want to enable LDAP/RADIUS Authentication(y/n)?: y

When the LDAP/RADIUS Authentication has been enabled, it can be seen in the main menu:

******************************************************************* Copyright (C) 2006-2009 Tellabs. All rights reserved.******************************************************************** LDAP/RADIUS Authentication (DISABLED)******************************************************************** Choose a configuration option:** 1. Add a new LDAP/RADIUS Server* 2. Add a new certificate file* 3. Assign certificates to LDAP/RADIUS Servers* 4. Modify LDAP/RADIUS Server parameters* 5. Modify certificate parameters* 6. Un-assign certificate from LDAP/RADIUS Server* 7. Delete certificate from database* 8. Delete LDAP/RADIUS Server from database* 9. List LDAP/RADIUS Servers from database* 10. List LDAP/RADIUS Certificates from database* 11. List assigned LDAP/RADIUS Certificates from database


26


** 99. Enable LDAP/RADIUS Authentication?** 0. Quit******************************************************************option:

2.5 Configuring Vendor-Specific Attributes in RADIUS Server

There are two VSAs that can be specified in dictionary.tellabs, which is included by the maindictionary file.

dictionary.tellabs:

# Tellabs dictionary - dictionary.tellabs## Enable by putting the line "$INCLUDE dictionary.tellabs" into# the main dictionary file.##VENDOR Tellabs 1397## Vendor-specific attributes#ATTRIBUTE Tellabs-UserPrivilegeLevel 1 integer TellabsATTRIBUTE Tellabs-NmsProfile 2 string Tellabs

dictionary:

...$INCLUDE /etc/raddb/dictionary.tellabs...

The Tellabs-NmsProfile attribute values can be configured in users, which should match the operatorprofile created in the 8000 Intelligent Network Manager database.

users:

...Tellabs-NmsProfile = "radiususer"...


27

8000 INM SR6.0 LDAP RADIUS Authentication Configuration User Manual

Documents

Transcript of 8000 INM SR6.0 LDAP RADIUS Authentication Configuration User Manual